Misconfigured Box accounts lead to sensitive data leaks

Staff at top organizations shared private links publicly using the cloud storage platform

Shares

Image Credit: Box

Employees from dozens of major organizations have accidentally been leaking sensitive company and customer data by sharing public links to files in their Box enterprise storage accounts.

The discovery was made by the cybersecurity firm Adveris which found that major tech and corporate giants had inadvertently left company data exposed.

Data stored in a Box enterprise account is private by default but users have the ability to share files and folders with anyone through a publicly accessible link. Adveris discovered that these secret links can easily be discovered by others.

The firm found more than 90 companies with publicly accessible folders after using a script to scan for Box accounts with a list of company names.

Accidental data leaks

To make matters worse, even some of Box's own staff had accidentally leaked sensitive company data. According to the company, many organizations are not aware of the fact that the sensitive data they share can be found by others.

Box is well aware of the issue and Adveris brought attention to this fact in a blog post in which it quoted a post from the company's community portal which read:

“Creating public custom shared links for any content may result in anyone who can guess the URL gaining access to that content. To reduce risk to sensitive content, we recommend that: Administrators configure Shared Link default access to 'People in your company' to reduce accidental creation of public (open) links by users. Administrators regularly run a shared link report (as described here) to find and manage public custom shared links. Users do not create public (open) custom shared links to content that is not intended for public consumption.”

To give some context to the gravity of this situation, Apple, Discovery television network, PR firm Edelman, nutrition giant Herbalife, the nonprofit Opportunity International, medical insurance software company PointCare and Schneider Electric all had employees that shared private links publicly using Box.

If your organization currently uses Box, it is recommended you train employees on how to properly share links or consider using a different cloud storage service altogether.